Archive

Posts Tagged ‘malware analysis’

Anti Debugging unleashed series # Part 1

September 26th, 2011 1 comment

This is the first in the series of anti debugging tricks. I will discuss the various anti debugging tricks one by one in my further posts:

 

I will start with the most basic ones.

 

The first one in the race is the PEB.BeingDebugged flag.

PEB refers to Process Environment Block, and it contains the information regarding the Environment and various parameters of a process. fs:[0x30] always points to PEB. The structure of PEB can be seen using the following command in windbg:

 

0:000> dt _PEB

 

+0×000 InheritedAddressSpace : UChar

+0×001 ReadImageFileExecOptions : UChar

+0×002 BeingDebugged : UChar

+0×003 SpareBool : Uchar

 

For a process that is being debugged, note the peb.BeingDebugged flag below in windbg:

 

!peb

PEB at 7ffda000

InheritedAddressSpace: No

ReadImageFileExecOptions: No

BeingDebugged: Yes

ImageBaseAddress: 00400000

Ldr 00261ea0

 

Hence, a program using the anti debugging techniques can use this flag to know whether the program is being debugged or not.

 

The api IsDebuggerPresent() in kernel32.dll checks this flag to determine the presence of the debugger.

 

This check can be easily bypassed by patching the PEB.BeingDebugged flag to 0.

 

Ch33r5 !!!

 

Switch to our mobile site